Method and system for making a java system call

ABSTRACT

A method and system of executing a system call in an object oriented programming language such as Java™. At least some of the illustrative embodiments may be system and method of creating a first package comprising a first inaccessible method and a second package comprising a second method, initiating a native system call, invoking the first inaccessible method from a second method via the native system call, and returning a result to the second method. Invoking the first method further comprises checking a right of access to the first inaccessible method according to a security policy, and invoking the first inaccessible method in place of execution of the second method if access is permitted according to the security policy. An exception is generated if access to the first inaccessible method is not permitted according to the security policy.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of European Patent Application No.04291918.3, filed Jul. 27, 2004, incorporated by reference herein as ifreproduced in full below.

BACKGROUND OF THE INVENTION

Mobile electronic devices such as personal digital assistants (PDAs) anddigital cellular telephones increasingly include applications written inthe Java™ programming language. Each application is represented by a setof accessible Applications Programming Interface (“APIs”). In execution,such a Java™ application may need to access APIs representing adifferent application, including those of the operating system.

Due to constraints of object oriented programming languages such as theJava language, applications may be isolated from each other such thatthey do not share methods kept separate by defined access levels. Forexample, the Java Virtual Machine (“JVM”) does not allow direct accessto individual memory addresses of the underlying system, preventingpotentially untrustworthy code from interfering with the native hardwareand operating system.

Various operating systems provide the means for an application to accessanother application. Specifically, an application may access methods ofanother application (or the operating system), subject to morerestricted access than those methods to which the application hasaccess. This type of access is referred to as a system call.

In an operating system such as UNIX, a system call cannot be calleddirectly from a user process. Instead, system calls are made indirectlyvia an interrupt and look-up in an interrupt table. System calls oftenuse a special machine code instruction which causes the processor tochange mode (e.g. to “supervisor mode” or “protected mode”), allowingthe operating system to perform restricted actions such as accessinghardware devices or the memory management unit.

Currently, there are no efficient ways of performing a system call insome object-oriented programming languages, such as Java™. It is thusdesirable to perform system calls between applications in an operatingsystem programmed in an object-oriented language such as Java™.

SUMMARY

The problems noted above are solved in large part by a method and systemof making a Java system call to enable access with security policychecking of a higher privilege code section. At least some of theillustrative embodiments may be a method of making a Java system call,comprising creating a first package comprising a first methodinaccessible to packages other than the first package and a secondpackage comprising a second method, invoking the first inaccessiblemethod from a second method, wherein a right of access to the firstinaccessible method is checked according to a security policy, andreturning a result of invoking the first inaccessible method to thesecond method.

Some illustrative embodiments are for a computer-readable medium storinga Java program that, when executed by a processor, performs a methodcomprising creating a first package comprising a first methodinaccessible to packages other than the first package and a secondpackage comprising a second method, invoking the first inaccessiblemethod from a second method, wherein a right of access to the firstinaccessible method is checked according to a security policy andreturning a result of invoking the first inaccessible method to thesecond method.

Other illustrative embodiments are a system comprising a processor, avirtual machine (“VM”) configured to execute on the processor, and aJava software program configured to execute on the VM, wherein the Javasoftware program is configured to create a first package comprising afirst method inaccessible to packages other than the first package and asecond package comprising a second method, invoke the first inaccessiblemethod from a second method, wherein a right of access to the firstinaccessible method is checked according to a security policy, andreturn a result of invoking the first inaccessible method to the secondmethod.

NOTATION AND NOMENCLATURE

Certain terms are used throughout the following description and claimsto refer to particular system components. As one skilled in the art willappreciate, semiconductor companies may refer to a component bydifferent names. This document does not intend to distinguish betweencomponents that differ in name but not function. In the followingdiscussion and in the claims, the terms “including” and “comprising” areused in an open-ended fashion, and thus should be interpreted to mean“including, but not limited to . . . ”. Also, the term “couple” or“couples” is intended to mean either an indirect or direct connection.Thus, if a first device couples to a second device, that connection maybe through a direct connection, or through an indirect connection viaother devices and connections.

A “method,” as used with respect to the Java programming language, is acollection of Java statements that can be invoked by other Java code.When a method is invoked, parameters known as arguments may be passed tothe method. The method performs some computations and may optionallyreturn a value.

A “class,” as used with respect to the Java programming language, is acollection of fields that hold data values and methods that operate onthose values. A class may also contain nested inner classes. Classes arethe fundamental structural element of Java programs. Java statementsappear within methods, and methods are defined within classes.

A “package,” as used with respect to the Java programming language, is anamed collection of classes. A package may also include sub-packages.Packages serve to group related classes and define a namespace for thecontained classes.

As part of security built into the Java programming language, eachentity—including methods and primitive data elements—has an access levelassociated with it. The access level may be “public,” indicating thatthe entity can be accessed by code in any class. The access levelalternatively may be “private”, meaning that the entity can only beaccessed by code that is contained within the class that defines theentity, or another access level: “default,” such that the entity can beaccessed by code that is contained within the class that defines theentity, or by a class that is contained in the same package as the classthat defines the entity. An additional access level is “protected”meaning that the entity may be accessed by a separate package, because aprotected method of a class of package 1 may be inherited by a class ofa separate package. “Final protected” indicates the access level meaningthat the entity can only be accessed by code that is contained withinthe class that defines the entity, or by classes within the same packageas the defining class, because the keyword final means that a methodcannot be inherited.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more detailed description of the preferred embodiments of thepresent invention, reference will now be made to the accompanyingdrawings, wherein:

FIG. 1 shows a diagram of a system in accordance with embodiments of theinvention;

FIG. 2 shows an illustrative block diagram of the Java Stack Machine ofFIG. 1 in accordance with embodiments of the invention;

FIG. 3 illustrates a flow diagram of a method in accordance withembodiments of the invention; and

FIG. 4 depicts an illustrative embodiment of the system describedherein.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The following discussion is directed to various embodiments of theinvention. Although one or more of these embodiments may be preferred,the embodiments disclosed should not be interpreted, or otherwise used,as limiting the scope of the disclosure, unless otherwise specified. Inaddition, one skilled in the art will understand that the followingdescription has broad application, and the discussion of any embodimentsis meant only to be exemplary of those embodiments, and not intended tointimate that the scope of the disclosure, is limited to thoseembodiments.

According to security constraints of the Java language, each package mayfreely invoke the methods within the package, and may access methods ofother packages when the access right for those methods is “public” or“protected” if the class defining the method is inherited. A method of apackage may be designed to be inaccessible to other packages in twoways: 1) by using default package protection of Java methods and 2) byusing protected package protection of Java final methods. The ability toinvoke inaccessible methods of other packages is restricted regardlessof any system security policy implemented. System security policies mayinclude capacity based policies, ring based policies or any othersecurity policy which would be known by one skilled in the art. Thecompiler guarantees isolation between methods (i.e., code section APIs).Accordingly, an application generated using a set of APIs cannot accessa second, inaccessible set of APIs for another application.Specifically, in various embodiments, an application may be downloadedor imported from a source that is potentially untrustworthy, and thusmay not have access to the APIs for another application. In variousembodiments, the application may have restricted access or no access tothe APIs for the operating system. Under certain circumstances, it maybe desirable for the application to access another application via theoperating system, while protecting the accessed application, oralternatively access the operating system, but protect it from maliciousattacks from downloaded or imported applications. In order to invoke aninaccessible method of another package, a system call is needed.

FIG. 1 shows a system 100 in accordance with embodiments of theinvention. As shown, the system may comprise at least two processors 102and 104. Processor 102 may be referred to for purposes of thisdisclosure as a Java Stack Machine (“JSM”) and processor 104 may bereferred to as a Main Processor Unit (“MPU”). System 100 may alsocomprise memory 106, and a display 114 coupled to both the JSM 102 andMPU 104 via one or more busses 122. At least a portion of the memory 106may be shared by both processors, and if desired, other portions of thememory 106 may be designated as private to one processor or the other.Other components such as disk drives and controllers (not specificallyshown) may be included as desired for various applications.

System 100 also comprises a Java Virtual Machine (“JVM”) 108, compiler110, Java APIs 120, Java native APIs 124, and Java applications 118. TheJVM may comprise a class loader, bytecode verifier, garbage collector,and a bytecode interpreter loop to interpret the bytecodes that are notexecuted on the JSM processor 102. The Java applications 118 are writtenin Java language source code and may comprise references to one or moreclasses of the Java Application Program Interfaces (“APIs”) 120 and theJava native APIs 124. The Java native APIs 124 comprises interfaces toclasses and methods implemented in other languages such as C++, C orassembler.

The Java source code is converted or compiled to a series of bytecodes112, with each individual one of the bytecodes referred to as an“opcode.” Bytecodes 112 are provided to the JVM 108, possibly compiledby compiler 110, and provided to the JSM 102 and/or MPU 104 forexecution. In some embodiments, the JSM 102 may execute at least someJava bytecodes directly. When appropriate, however, the JVM 108 may alsorequest the MPU 104 to execute one or more Java bytecodes not executedor executable by the JSM 102. In addition to executing compiled Javabytecodes, the MPU 104 also may execute non-Java instructions.

The system 100 may host an operating system (not specifically shown)which performs various functions such as virtual memory management, thesystem task management (i.e., a scheduler), and most or all other nativetasks running on the system, management of the display 114, andreceiving input from various devices 116. This operating system may bewritten in Java in various embodiments of the present disclosure. As isdescribed in more detail herein, embodiments of the method for making aJava system call generally comprise checking the access rights to amethod, and only allowing a package to invoke a method of anotherpackage if permitted by the security policy.

Java bytecodes perform stack-based operations. For example, an “IADD”(integer add) Java opcode pops two integers off the top of the stack,adds them together, and pushes the sum back on the stack. A “simple”opcode is one in which the JSM 102 may perform an immediate operationeither in a single cycle (e.g., an IADD opcode) or in several cycles(e.g., “DUP2_X2”). A “complex” opcode is one in which several memoryaccesses may be required to be made within the JVM data structure forvarious verifications (e.g., NULL pointer, array boundaries).

A JSM processor 102 in accordance with embodiments of the invention mayexecute, in addition to the Java bytecodes, a second instruction setother than Java™ bytecodes. In some embodiments, the second instructionset may comprise register-based and memory-based operations rather thanstack-based operations. This second instruction set complements the Javainstruction set and, accordingly, may be referred to as a complementaryinstruction set architecture (“C-ISA”). By complementary, it is meantthat some complex Java bytecodes may be replaced by a “micro-sequence”comprising C-ISA instructions. The execution of Java code may thus bemade more efficient and run faster by replacing some opcodes with moreefficient micro-sequences of C-ISA instructions. For example, thecompiler 110 may scan a series of Java bytes codes and replace one ormore of such bytecodes with an optimized code segment mixing C-ISA andbytecodes and which is capable of more efficiently performing thefunction(s) performed by the initial group of Java bytecodes. In atleast this way, Java execution may be accelerated by the JSM 102.

FIG. 2 shows an illustrative block diagram of the JSM 102. As shown, theJSM comprises a core 128 coupled to data storage 136 and instructionstorage 130. The components of the core 128 preferably comprise aplurality of registers 140, address generation units (“AGUs”) 142 and147, micro-translation lookaside buffers (micro-TLBs) 144 and 156, amulti-entry micro-stack 146, an arithmetic logic unit (“ALU”) 148, amultiplier 150, decode logic 152, and instruction fetch logic 154. Datapointed to by operands of opcodes may be retrieved from data storage 122or from the micro-stack 146, and processed by the ALU 148. Instructionsmay be fetched from instruction storage 130 by fetch logic 154 anddecoded by decode logic 152. The AGUs 142 may be used to calculateaddresses for C-ISA instructions based, at least in part, on datacontained in the registers 140. AGU 147 couples to the micro-stack 146and may manage overflow and underflow conditions in the micro-stack 146.The micro-TLBs 144 and 156 perform the function of a cache for theaddress translation and memory protection information bits that areunder the control of the operating system.

Java bytecodes may pop data from and push data onto the micro-stack 146,which micro-stack 146 comprises a plurality of gates in the core 128 ofthe JSM 102. The micro-stack 146 comprises the top n entries of a largerstack that is implemented in data storage 136. Although the value of nmay be vary in different embodiments, in accordance with at least someembodiments the size n of the micro-stack may be the top eight entriesin the larger, memory-based stack. By implementing the micro-stack 146hardware in the core 128 of the processor 102, access to the datacontained in the micro-stack 146 is very fast, although any particularaccess speed is not a limitation on this disclosure.

ALU 148 adds, subtracts, and shifts data. The multiplier 150 may be usedto multiply two values together in one or more cycles. The instructionfetch logic 154 fetches instructions from instruction storage 130, whichinstructions may be decoded by decode logic 152. Because the JSM 102 isconfigured to process instructions from at least two instruction sets,the decode logic 152 comprises at least two modes of operation, one modefor each instruction set. As such, the decode logic unit 152 maycomprise a Java mode in which Java bytecodes may be decoded, and a C-ISAmode in which micro-sequences of C-ISA instructions may be decoded.

The data storage 136 comprises data cache (“D-cache”) 138 and datarandom access memory (“D-RAM”) 139. The stack (excluding the micro-stack146), arrays and non-critical data may be stored in the D-cache 138,while Java local variables, critical data and non-Java variables (e.g.,C, C++) may be stored in D-RAM 139. The instruction storage 130 maycomprise instruction RAM (“I-RAM”) 132 and instruction cache (“I-CACHE”)134. The I-RAM 132 may be used for opcodes or micro-sequences, and theI-CACHE 134 may be used to store other types of Java bytecode and mixedJava/C-ISA instructions.

FIG. 3 illustrates a flow diagram of a process in accordance withembodiments of the invention. Although the actions of this process arepresented and described serially, one of ordinary skill in the art willappreciate that the order may differ and/or some of the actions mayoccur in parallel. In particular, the process may start with creatingJava packages, each having one or more Java methods, and each Javamethod having an associated access level (block 300). The packages mayinclude a first package and a second package. In various embodiments,the first and second packages may be two applications. In various otherembodiments, the first package may be an operating system, while thesecond package may be an application. For various reasons, as discussedpreviously, the second package may need to invoke an inaccessible methodof the first package. For the second package to access a final protectedmethod of the first package, a system call is carried out.

The parameters for a system call may be defined as fields of the objectscomprising the methods of the first package and the second package(block 302). These parameters may be assigned a value or may remain voiduntil a value is assigned later. The second package, having a need toinvoke an inaccessible method of the first package, makes a system callto the inaccessible method in the first package (block 306). A check isdone (block 308) to determine whether, according to the security policy,the second package has access to the inaccessible method of the firstpackage it seeks to invoke. The details of the particular securitypolicy are not material here. Any security policy, now known ordeveloped later, may be implemented with embodiments of the presentdisclosure. If the second package is attempting to invoke a method ofthe first package to which it is not permitted access (i.e., thesecurity policy determines that the method should not be accessed), anexception is generated (block 310). The exception may be an invalidsyscall exception. When an exception is generated, the process ends.

If, according to the security policy, the second package has permissionto invoke the inaccessible method of the first package, the JVM 108switches from the method (i.e., a particular code segment) of the secondpackage to the inaccessible method (another specific code segment) ofthe first package (block 312). The JVM 108 creates an object to invokeexecution of the inaccessible method of the first package (block 314).Then the method of the first package that was called by the secondpackage may be executed (block 316). When the method of the firstpackage has been executed, the JVM 108 switches back to the method ofthe second package (block 318). The results of the inaccessible methodof the first package being executed are returned to the method of secondpackage as its execution resumes (block 320). This may be accomplishedusing one of the parameter fields established in block 302.

FIGS. 4 and 5 illustrate an example Java code embodiment of the processdescribed with reference to FIG. 3. FIG. 4 illustrates the code that maybe comprised in the first package. A class Titi is defined (lines 1-13).A Java method A of class Titi is defined (lines 9-12), as well as a Javamethod SyscallA that calls Java method A of class Titi (lines 5-8). Dueto the default package protection, Method A and Method SyscallA, areinaccessible to methods of other packages. Various parameters areestablished for the system call (lines 3-4).

FIG. 5 illustrates exemplary code that may be comprised for the secondpackage, which comprises an application seeking to invoke a method ofanother application. A class Toto is defined (lines 1-12). Variousparameters are established for the system call (lines 3-4). A publicJava method A is defined, providing an interface for the system call(lines 5-11).

FIG. 5 additionally illustrates exemplary code defining a Java nativemethod, Syscall, which carries out the system call (lines 13-27). Theparameters for the system call include callerpackage (of string type),packageAndClassNameToAccess (of string type), methodToCall (of stringtype), and callingobject (of object type) (lines 13-16). An object OO isdefined to interface between the first and second packages (line 18).

A Java method, checkRights, is invoked to compare the rights of thecalling package (i.e., the second package) to the package being accessed(i.e., the first package), and the inaccessible Java method beinginvoked (i.e., method A) according to the security policy (line 19). Ifthe security policy indicates that the calling package (i.e., the secondpackage) does not have permission to access the first package and theinaccessible method, an invalid syscall exception may be generated.

If the security policy permits access, then the Java Virtual Machine 108changes the code segment to the targeted first package (FIG. 5, line20). The JVM 108 creates an object used to invoke a system call (line21). Then, the JVM 108 copies the fields of the calling object (e.g., anobject of class Toto) in OO (line 22). The JVM 108 then calls theinvoked Java method, or in other words, makes the system call (line 23).In the example shown, VMCallMethod will invoke the Java methodOO.SyscallA(this). Generally speaking, the system call described abovewill flow as follows: Java method A (line 5 of FIG. 5) invokes thenative method (line 9 of FIG. 5), which invokes Syscall A (line 5 ofFIG. 4) which invokes Java method A (line 9 of FIG. 4). Once the resultis stored, this flow is reversed. After execution of the called Javamethod, the JVM 108 then copies the fields of OO back into the callingobject (line 24), restores the original code segment, resumes the methodof the calling package (line 25), and returns the results of the call(line 26).

System 100 may be implemented as a mobile cell phone such as that shownin FIG. 6. As shown, the mobile communication device includes anintegrated keypad 412 and display 414. The JSM processor 102 and MPUprocessor 104 and other components may be included in electronicspackage 410 connected to the keypad 412, display 414, and radiofrequency (“RF”) circuitry 416. The RF circuitry 416 may be connected toan antenna 418.

While the various embodiments of the invention have been shown anddescribed, modifications thereof can be made by one skilled in the artwithout departing from the spirit and teachings of the invention. Theembodiments described herein are illustrative only, and are not intendedto be limiting. Many variations and modifications of the inventiondisclosed herein are possible and are within the scope of the invention.Accordingly, the scope of protection is not limited by the descriptionset out above. Each and every claim is incorporated into thespecification as an embodiment of the present invention.

1. A method of making a Java system call, comprising: creating a firstpackage comprising a first method inaccessible to packages other thanthe first package and a second package comprising a second method;invoking the first inaccessible method from a second method, wherein aright of access to the first inaccessible method is checked according toa security policy; and returning a result of invoking the firstinaccessible method to the second method.
 2. The method of claim 1,wherein invoking the first method further comprises: invoking the firstinaccessible method in place of execution of the second method if accessis permitted according to the security policy.
 3. The method of claim 1,wherein invoking the first inaccessible method further comprises:creating an object for execution of the first inaccessible method. 4.The method of claim 1, wherein invoking the first inaccessible methodfurther comprises: executing the first inaccessible method; and resumingexecution of the second method; wherein the result of the execution ofthe first inaccessible method is returned to the second method.
 5. Themethod of claim 1, further comprising: initiating a native system call.6. The method of claim 1, further comprising: passing one or moreparameters of the second method to the first inaccessible method.
 7. Themethod of claim 2, further comprising: generating an exception if accessto the first inaccessible method is not permitted according to thesecurity policy.
 8. The method of claim 1, wherein invoking the firstinaccessible method from a second method further comprises: invoking theinaccessible operating system method in place of execution of theapplication method if access is permitted according to the securitypolicy; generating an exception if access to the inaccessible operatingsystem method is not permitted according to the security policy; passingone or more parameters of an application to an operating system;creating an object for execution of the inaccessible operating systemmethod; initiating a native system call; executing the inaccessibleoperating system method; and resuming execution of the applicationmethod; wherein the result of the invoking the inaccessible operatingsystem method is returned to the application method; and wherein theoperating system comprises the first package, the inaccessible operatingsystem method comprises the first method inaccessible to packages otherthan the first package, the application comprises the second package,and the application method comprises the second method.
 9. Acomputer-readable medium storing a Java program that, when executed by aprocessor, performs a method comprising: creating a first packagecomprising a first method inaccessible to packages other than the firstpackage and a second package comprising a second method; invoking thefirst inaccessible method from a second method, wherein a right ofaccess to the first inaccessible method is checked according to asecurity policy; and returning a result of invoking the firstinaccessible method to the second method.
 10. The computer-readablemedium claim 9, wherein invoking the first method further comprises:invoking the first inaccessible method in place of execution of thesecond method if access is permitted according to the security policy.11. The computer-readable medium claim 9, wherein invoking the firstmethod further comprises: creating an object for execution of the firstinaccessible method.
 12. The computer-readable medium claim 9, whereininvoking the first method further comprises: executing the firstinaccessible method; and resuming execution of the second method;wherein the result of the execution of the first inaccessible method isreturned to the second method.
 13. The computer-readable medium of claim9, the method further comprising: initiating a native system call. 14.The computer-readable medium of claim 9, the method further comprising:passing one or more parameters of the second method to the firstinaccessible method.
 15. The computer-readable medium of claim 9, themethod further comprising: generating an exception if access to thefirst inaccessible method is not permitted according to the securitypolicy.
 16. The computer-readable medium of claim 9, wherein invokingthe first inaccessible method from a second method further comprises:invoking the inaccessible operating system method in place of executionof the application method if access is permitted according to thesecurity policy; generating an exception if access to the inaccessibleoperating system method is not permitted according to the securitypolicy; passing one or more parameters of an application to an operatingsystem; creating an object for execution of the inaccessible operatingsystem method; initiating a native system call; executing theinaccessible operating system method; and resuming execution of theapplication method; wherein the result of the invoking the inaccessibleoperating system method is returned to the application method; andwherein the operating system comprises the first package, theinaccessible operating system method comprises the first methodinaccessible to packages other than the first package, the applicationcomprises the second package, and the application method comprises thesecond method.
 17. A system, comprising: a processor; a virtual machine(“VM”) configured to execute on the processor; and a Java softwareprogram configured to execute on the VM, wherein the Java softwareprogram is configured to: create a first package comprising a firstmethod inaccessible to packages other than the first package and asecond package comprising a second method; invoke the first inaccessiblemethod from a second method, wherein a right of access to the firstinaccessible method is checked according to a security policy; andreturn a result of invoking the first inaccessible method to the secondmethod.
 18. The system of claim 17, wherein invoking the first methodfurther comprises: invoking the first inaccessible method in place ofexecution of the second method if access is permitted according to thesecurity policy.
 19. The system of claim 17, wherein invoking the firstmethod further comprises: creating an object for execution of the firstinaccessible method.
 20. The system of claim 17, wherein invoking thefirst method further comprises: executing the first inaccessible method;and resuming execution of the second method; wherein the result of theexecution of the first inaccessible method is returned to the secondmethod.
 21. The system of claim 17, wherein the Java software program isfurther configured to initiate a native system call.
 22. The system ofclaim 17, wherein the Java software program is further configured topass one or more parameters of the second method to the firstinaccessible method.
 23. The system of claim 17, wherein the Javasoftware program is further configured to generate an exception ifaccess to the first inaccessible method is not permitted according tothe security policy.
 24. The system of claim 17, wherein invoking thefirst inaccessible method from a second method further comprises:invoking the inaccessible operating system method in place of executionof the application method if access is permitted according to thesecurity policy; generating an exception if access to the inaccessibleoperating system method is not permitted according to the securitypolicy; passing one or more parameters of an application to an operatingsystem; creating an object for execution of the inaccessible operatingsystem method; initiating a native system call; executing theinaccessible operating system method; and resuming execution of theapplication method; wherein the result of the invoking the inaccessibleoperating system method is returned to the application method; andwherein the operating system comprises the first package, theinaccessible operating system method comprises the first methodinaccessible to packages other than the first package, the applicationcomprises the second package, and the application method comprises thesecond method.
 25. The system of claim 17, wherein the system comprisesa mobile device.